Cyber Incident Victim: Attent Zorg en Behandeling
Date:
Feb 2023
Location:
Netherlands
Summary
The Qilin ransomware group breached a Dutch elderly care facility, Attent Zorg en Behandeling, by exploiting an unpatched vulnerability, stealing hundreds of gigabytes of sensitive data including employee passports, internal communications, salary details, and non-disclosure agreements. Following the facility's refusal to pay a ransom, the attackers leaked portions of the data online, including expired passport copies retained for years. The incident caused temporary technical disruptions, but critical systems such as client records, financial operations, and personnel databases were restored within days.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 17, 2023, the Qilin ransomware group breached the systems of Attent Zorg en Behandeling, a care facility in Gelderland, Netherlands, exploiting an unpatched vulnerability to gain unauthorized network access. The attackers stole hundreds of gigabytes of sensitive data, including internal communications, salary statements, non-disclosure agreements, and passport copies belonging to physicians, nurses, and physiotherapists. Technical disruptions immediately impacted facility operations, prompting the organization to publicly announce the breach via its website. By February 20, three days post-attack, the institution restored a significant portion of affected systems—including telephone services, client dossier databases, and financial and personnel management platforms. Qilin threatened to publish stolen data unless paid a ransom, escalating the incident into a double-extortion scenario. In early March 2023, the group followed through by leaking subsets of the data on their dark web site, notably exposing expired passport copies retained by the facility for up to ten years. The published documents revealed systemic retention of outdated identification records beyond operational necessity.
Attent Zorg en Behandeling’s restoration efforts prioritized reactivating critical care delivery systems within 72 hours, though the breach permanently compromised decades’ worth of employee and administrative records. The leaked passports exposed healthcare workers to identity theft risks, while salary disclosures and internal communications created reputational and legal liabilities. No evidence indicates patient medical records were exfiltrated, limiting direct care impacts. The facility did not publicly disclose whether ransom negotiations occurred or confirm the vulnerability’s technical nature. Qilin’s claim of exploiting unpatched software aligned with common ransomware intrusion patterns, though independent verification of this vector remained absent from official statements. Data publication timelines suggested the group escalated pressure tactics after initial non-payment, leveraging stolen documents as coercive leverage. The incident underscored vulnerabilities in long-term data retention practices at healthcare support organizations.